Add flake checks (formatter, linters, secret scanner) + CI#3
Merged
Conversation
Wire treefmt-nix (nixfmt) and cachix/git-hooks.nix into the flake so `nix fmt`, `nix flake check`, and pre-push hooks all share one config: - nixfmt via treefmt-nix (`nix fmt`, treefmt.nix) - statix (Nix anti-patterns) and deadnix (dead code) hooks - gitleaks secret scanner as a custom hook reading .gitleaks.toml - pre-commit-check installed as a pre-push hook on `nix develop` - aarch64-darwin added to per-system outputs so checks run on macOS; Linux-only outputs (deploy/xmonad shells, packages, apps) gated - GH Actions workflows: nix flake check on PRs, weekly flake.lock PR
Idiomatic Nix rewrites from `statix fix`:
- `if x ? y then x.y else default` → `x.y or default`
- `{ x = x; ... }` → `{ inherit x; ... }`
- `{ ... }:` → `_:` for unused argument patterns
- a few `let` binding cleanups
The default `gitleaks detect` scans the full git history, which surfaces secrets from long-deleted files (davmail config, old .npmrc tokens, etc.) on every push. For a pre-push hook the relevant scope is "what's about to be sent", not the full audit. `--no-git` scans the working tree only. History audit can still be run on demand: `gitleaks detect --source=.`.
Auto-fixes from `deadnix --edit`: - Unused module function args (config, lib, pkgs, options, system) removed from modules that don't reference them - Unused let bindings removed (is_stable in two places, removeHostname, unused lambda args in flake.nix, etc.) Also drop `home-manager` from the overlay.nix call site in flake.nix — deadnix removed it from overlay.nix's parameter list since it wasn't used; the call site had to follow.
statix W20 flags split assignments to the same top-level key (e.g.
`services.foo = ...; services.bar = ...;`) and suggests nesting them
into a single attribute set (`services = { foo = ...; bar = ...; };`).
Applied across modules/, machines/, and home-manager/. Also collapses
an empty function pattern `{ ... }: ...` to `_: ...` in qemu-vm.nix.
CI on the new check workflow surfaced three real issues in existing NixOS configurations: - `systemd.sleep.extraConfig` is removed → use `systemd.sleep.settings.Sleep.HibernateDelaySec` - `security.acme.defaults.credentialsFile` is renamed → use `environmentFile` (single env-file form, matches existing usage) - `networking.resolvconf.enable` (default true) conflicts with `environment.etc."resolv.conf"` which is set by both NetworkManager and NixOS-WSL → disable globally
CI surfaced four more issues after the first round: - `systemd.sleep.settings` is only declared when the standard systemd module is loaded — WSL skips that module → gate `modules/sleep.nix` config on `flavor != "wsl"` - `pkgs.nodePackages.*` was removed; typescript, typescript-language-server, prettier, and mermaid-cli all live at the top level now - `virtualisation.libvirtd.qemu.ovmf.enable` removed — OVMF images now ship with QEMU by default
Two CI fixes: `nix flake check` asserts every nixosConfiguration has fileSystems."/". Two configs hit it: - machines/generic.nix — only consumed by lib/nixos2hm for non-NixOS Linux; never booted. Stub with tmpfs. - machines/qemu-vm.nix — meant for `nixos-rebuild build-vm` which overrides fileSystems itself. Real-ish stub so it can also evaluate standalone. modules/sleep.nix forks on option existence: stable (25.11) still has `systemd.sleep.extraConfig`, unstable (which removed it) has `.settings.Sleep`. Drop the else-branch once stable catches up.
`deploy-rs.lib.<system>.deployChecks` builds activation derivations for every node regardless of node system, so `checks.x86_64-linux` was trying to build rassie's aarch64-linux derivation on the x86_64 CI runner — fails with a platform mismatch. Filter the node set per-system so each architecture's checks only exercise its own nodes. CI on x86_64 verifies x86_64 nodes; when an aarch64 runner enters the matrix later it'll cover rassie.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Wires up a "compliance" baseline for the dotfiles flake — formatter, linters, secret scanner, and CI. Same checks run from
nix fmt,nix flake check, pre-push hook, and GitHub Actions.treefmt-nix+nixfmt(RFC 166) for formatting (nix fmt)cachix/git-hooks.nixwith hooks: treefmt, statix (anti-patterns), deadnix (dead code), gitleaks (secrets)git pushonly (commits stay free; push is the gate); installed automatically bynix developshellHookaarch64-darwinadded to supported systems; Linux-only outputs (deploy/xmonad shells, packages, apps) gated withlib.optionalAttrsW20)nix flake checkon PRs to main; weeklyflake.lockPR viaDeterminateSystems/update-flake-lock--no-gitso it scans the working tree, not 1900 commits of history (which surfaced old deleted files like davmail config and ancient npmrc tokens on every push)Known unrelated issue
nixosConfigurations.mapfailsnix flake checkwith two pre-existing nixpkgs-unstable deprecations unrelated to this change:systemd.sleep.extraConfig→ must move tosystemd.sleep.settings.Sleepnetworking.resolvconf.enable = trueconflicts withenvironment.etc."resolv.conf"being setCI will surface this. Worth a separate follow-up commit to fix in
modules/sleep.nixandmachines/map/default.nix.